b'   November 24, 2003\n\n\n\n\nAcquisition\n\nDevelopment Testing of Space\nBased Infrared System Mission-\nCritical Software\n(D-2004-022)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nAFI        Air Force Instruction\nCA         Certifying Authority\nDAA        Designated Approval Authority\nDITSCAP    DoD Information Technology Security Certification and Accreditation\n            Process\nIATO       Interim Authority to Operate\nIHC        Interim Highly Elliptical Orbit Capability\nIPT        Integrated Product Team\nIRT        Independent Review Team\nSSAA       System Security Authorization Agreement\nSBIRS      Space Based Infrared System\nSEIT       System Engineering Integration Team\nSMM        System Maturity Matrix\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2004-022                                                 November 24, 2003\n   (Project No. D2002PT-0206)\n\n            Development Testing of Space Based Infrared System\n                        Mission-Critical Software\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? Acquisition officials, program managers,\nand software managers who are responsible for the development and test of software\nshould read this report. It explains steps for effective government oversight of\ndevelopment testing as well as information assurance requirements for developmental\ntest information systems.\n\nBackground. This report is one of a series, which evaluate the adequacy of development\ntesting of mission-critical software in selected weapon systems. The previous report\n\xe2\x80\x9cDevelopment Testing of Prophet Mission-Critical Software,\xe2\x80\x9d (D-2003-051) January 22,\n2003, reviewed software development testing in the Army Prophet system. This report\nreviews the testing of mission-critical software contained in the Air Force Space Based\nInfrared System High.\n\nThe Space Based Infrared System (SBIRS) High is a constellation of high altitude\nsatellites with a ground system. It is the successor to the Defense Support Program with\nthe mission to provide missile warning, missile defense, technical intelligence, and battle\nspace characterization. Development of SBIRS High is in two increments. Increment 1\nachieved initial operational capability in December 2001. Increment 2 is currently in\ndevelopment and is scheduled to be complete in FY 2010. Estimated cost for\nIncrements 1 and 2 is $4.86 billion.\n\nDuring the fall of 2001, the SBIRS Program Director reported a likely Nunn-McCurdy\nBreach. On December 31, 2001, the Secretary of the Air Force notified Congress that the\nprogram had a cost breach. Because of the breach, the Under Secretary of Defense for\nAcquisition, Technology, and Logistics performed program reviews. In addition, during\nthe time of the review the Under Secretary of the Air Force directed that the program\noffice remove the total system performance responsibility clause from the contract.\nBased on those efforts the program was recertified on May 3, 2002.\n\nResults. The program office has not implemented effective requirement flow control by\ntracking the technical progress of requirements, assumed responsibility for approving all\ncritical test plans and reports and established a metric for annually reporting extended\ndevelopmental testing. The Designated Approval Authority inappropriately issued an\nInterim Authority To Operate for the Interim Highly Elliptical Orbit Capability and\nannually plans to issue one until initial operational capability scheduled for FY 2010.\n\nWithout effective management and oversight of development testing, Space Based\nInfrared System High is at risk of repeating problems previously identified by the\nIndependent Review Team during program recertification, which included inadequate\n\n                                             i\n\x0cmanagement of requirements, insufficient oversight of system development and lack of\nmeaningful metrics. The System Program Director, Space Based Infrared System, Space\nand Missile Systems Center should implement a System Maturity Matrix or similar tool,\nassume sign off responsibility for all critical test plans and reports, and provide to key\ndecisions makers an annual interim test report documenting extended developmental\ntesting. For details of this recommendation, see finding A of this report.\n\nValidation of system security features for the Interim Highly Elliptical Orbit Capability\nas required by the Defense Information Technology Security Certification and\nAccreditation Process were incomplete. By not validating the correct implementation\nand operation of system security features, the correctness of Interim Highly Elliptical\nOrbit Capability test data is in doubt, and its capability to test, assess, and support Space\nBased Infrared System is questionable. The Certifying Authority should ensure all\nvalidation tasks, which include security test and evaluation and penetration test are\ncomplete. The Designated Approval Authority should then accredit, withhold\naccreditation, or issue an Interim Authority To Operate. In addition, the Program\nDirector should remove the reaccreditation requirement for an annual Interim Authority\nTo Operate from the System Security Authorization Agreement and plan to have the\nInterim Highly Elliptical Orbit Capability achieve full accreditation within the next 12\nmonths. For details of this recommendation, see finding B of this report.\n\nManagement Comments and Evaluation Response. The System Program Director,\nSBIRS, Space and Missile Systems Center agreed to develop a System Maturity Matrix,\nand stated that the program office approves all critical system test plans and reports. The\nSystem Program Director agreed to implement an annual interim test report during\nextended developmental testing. In addition, the System Program Director agreed to\ncomplete security testing for the Interim Highly Elliptical Orbit Capability \xe2\x80\x93 now known\nas the Interim Test Center, and have the Designated Approval Authority verify that all\nvalidation tasks are completed before issuing an accreditation decision. The System\nProgram Director also agreed to discontinue the use if the Interim Authority to Operate as\na \xe2\x80\x9crecurring, routine exercise,\xe2\x80\x9d but anticipated using an Interim Authority to Operate for\nan additional 2 years. A discussion of management comments is in the Findings section\nof the report and the complete text is in the Management Comments section.\n\nThe System Program Director comments were responsive. However, we require further\ndetail in order to determine if the actions are sufficient. Specifically, the System Program\nDirector agreed to develop a System Maturity Matrix, but did not explain how the\nSystem Maturity Matrix will track requirements to effectivities and test results. We\nrequest that the System Program Director provide a description of the System Maturity\nMatrix explaining how it will track requirements to effectivities and test results. In\naddition, the System Program Director stated that the program office approves all critical\nsystem test plans and reports but did not explain whether the critical test plans and\nreports we identified, that did not require government approval, were included. We\nrequest that the System Program Director provide detailed information on the\ngovernment approval process for the critical test plans and reports that we identified as\nnot requiring government approval. As a final point, the System Program Director stated\nthat security testing for the Interim Test Center is planned for completion in December\n2003, and the use of the Interim Authority to Operate as a re-accreditation requirement\nwill be discontinued. We request that the System Program Director provide the updated\nInterim Test Center System Security Authorization Agreement containing the summary\nof the Interim Test Center security test results as well as the plan to achieve full\naccreditation. We request that the documents be provided by January 26, 2004.\n\n\n                                              ii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\nBackground                                                                   1\n\nObjectives                                                                   3\n\nFindings\n     A. Management and Oversight of Development Testing                     4\n     B. Interim Highly Elliptical Orbit Capability Temporary Authority to\n          Operate                                                           13\n\nAppendixes\n     A. Scope and Methodology                                               21\n         Management Control Program Review                                  22\n     B. Prior Coverage                                                      24\n     C. Definitions of Technical Terms                                      25\n     D. Report Distribution                                                 27\n\nManagement Comments\n     Department of the Air Force                                            29\n\x0cBackground\n    This report is one of a series, which evaluate the adequacy of development testing\n    of mission-critical software in selected weapon systems. The previous report\n    \xe2\x80\x9cDevelopment Testing of Prophet Mission-Critical Software,\xe2\x80\x9d (D-2003-051)\n    January 22, 2003, reviewed software development testing in the Army Prophet\n    system. This report reviews the testing of mission-critical software contained in\n    the Air Force Space Based Infrared System High.\n    Space Based Infrared System. The Space Based Infrared System (SBIRS) High\n    is a constellation of high altitude satellites with a ground system and is the\n    successor to the Defense Support Program with the mission to provide missile\n    warning, missile defense, technical intelligence, and battle space characterization.\n    SBIRS High consists of a space segment and a ground segment and is being\n    developed in two increments. The space segment will employ overhead non-\n    imaging infrared satellite systems in geosynchronous and highly elliptical orbits.\n    The ground segment consolidates the Defense Support Program ground assets to\n    support continuing space operations and provides the capabilities to support\n    transitions, launch, and mission operations for the SBIRS High space segment.\n    Increment 1, which consolidated the current ground assets and is currently\n    supporting Defense Support Program operations, achieved initial operational\n    capability in December 2001. Increment 2, which replaces the Defense Support\n    Program satellites with the SBIRS High constellation, adds capability to the\n    ground segment. Increment 2 is in development and is scheduled to be complete\n    in FY 2010. Estimated cost for Increments 1 and 2 is $4.86 billion. The program\n    office has stated that the cost of SBIRS High software is $892.3 million.\n\n    Program Recertification. During the fall of 2001, the SBIRS Program Office\n    performed an estimate at completion analysis because of questionable cost and\n    schedule parameters in the Acquisition Program Baseline. The analysis reported\n    a potential research, development, test and evaluation cost growth in excess of\n    $2 billion and schedule delays of 18-24 months. As a result, the System Program\n    Director reported a likely Nunn-McCurdy Breach. On December 31, 2001, the\n    Secretary of the Air Force notified Congress that the SBIRS High program had a\n    cost breach. Because of the breach, the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics conducted program reviews, which\n    included an Independent Review Team (IRT). In addition, during the time of the\n    review, the Under Secretary of the Air Force directed the program office to\n    remove the total system performance responsibility clause from the contract.\n    Based upon the need of the program for national security, a revised acquisition\n    strategy, implementation of IRT recommendations, and the removal of the total\n    system performance responsibility, the program was recertified on May 3, 2002.\n\n    Development Testing Objectives. Two objectives of development testing are to\n    verify system compliance to specifications and to demonstrate system readiness to\n    enter operational test and evaluation. Verification of SBIRS ground software\n    requirements is done through a series of test activities called the software\n    development lifecycle. During the development lifecycle, code and unit test,\n    development integration test, and component integration test progressively verify\n\n\n                                         1\n\x0cthat the software meets the design, performs correctly, and integrates with other\ncomponents. In the course of component integration testing, ground segment\ndesign document qualification and segment verification tests are performed to\nverify software requirement specifications and ground segment requirements.\nOnce segment verification tests are complete, the System Engineering Integration\nTeam accepts the ground segment software and performs a series of system level\ntests. For Increment 2, system level tests verify that the integrated ground and\nspace segments meet SBIRS High component specifications. Successful\ncompletion of system level tests ensures system intersegment interface\ncompatibility and system operational capability.\n\nCertification and Accreditation of Development Sites. During the evaluation,\nwe reviewed the status of information assurance for SBIRS development sites\nused for software development. There are three contractor development sites\nused for development, integration, and testing of SBIRS ground segment, space\nsegment, and system software. The locations of the contractor development sites\nare Sunnyvale, California; Azusa, California; and Boulder, Colorado.\nDoD 5220.22-M National Industrial Security Program Operating Manual applies\nto all contractor information systems that process classified information and is\nused for contractor information system certification and accreditation. The\nDefense Security Service oversees the certification and accreditation of all three\ncontractor development sites and ensures that they are in compliance with DoD\npolicy. According to DoD 5220.22-M, in order for a contractor development\nfacility to be certified and accredited it must have an Automated Information\nSystem Security Plan and an accreditation letter approved by a cognizant security\nagency. During our review, we were able to verify that an Automated\nInformation Security Plan and a Defense Security Service accreditation letter\nexist for the Sunnyvale and Azusa contractor development sites. We requested\nthe Automated Information System Security Plan and accreditation letter for the\nBoulder site during our visit to Boulder in October 2002. In February 2003, we\nreceived an Automated Information System Security Plan for Boulder dated\nFebruary 3, 2003. In addition, in February 2003 the Defense Security Service\nprovided us an Interim Authority to Operate (IATO) for Boulder. An IATO gives\npermission for an information system to operate before formal certification and\naccreditation and the signing of the accreditation letter. The date of the IATO\nwas February 24, 2003. We contacted the Defense Security Service regional\nrepresentative and discussed the discrepancy concerning the dates of our request\nand the issuance of the Boulder Automated Information System Security Plan and\nIATO. The Defense Security Service representative told us that the Boulder\nfacility has been certified for 10 years and that the IATO was issued in February\n2003 in order to meet new DoD 5220.22-M requirements. We also met with the\nDefense Security Service Assistant Deputy Director for Operations who told us\nthat they plan to issue a new IATO because the current one is based on old\nrequirements. In addition, DSS provided a synopsis of their oversight of the\nBoulder site and a summary of the different equipment configurations used since\nthe facility became operational in 1982.\n\n\n\n\n                                    2\n\x0cObjectives\n    The overall objective of our evaluation was to review issues concerning\n    development testing and evaluation of SBIRS High mission-critical software.\n    Specifically, we evaluated the completeness and adequacy of the testing to\n    include planning, executing, and reporting of two ground-segment software\n    domains: Telemetry, Tracking, and Commanding; and Mission Processing. We\n    also reviewed specific areas during SBIRS development testing concerning\n    information assurance, interface and interoperability testing, and computer test\n    resources.\n\n\n\n\n                                        3\n\x0c           A. Management and Oversight of\n              Development Testing\n           The program office has not implemented effective requirement flow\n           control by tracking technical progress of user and system requirements to\n           test results and effectivity milestones, assumed approval responsibility for\n           all critical test plans and reports, and established a meaningful metric for\n           key decision makers by annually reporting extended development testing.\n           Those conditions occurred because the program office has not\n           implemented management and oversight requirements specified in Air\n           Force Instruction 99-101, \xe2\x80\x9cDevelopmental Test and Evaluation.\xe2\x80\x9d\n           Specifically, the program office does not have a System Maturity Matrix\n           or an equivalent management tool used to track the program\xe2\x80\x99s technical\n           progress and risks, the program office does not sign off on all critical test\n           plans and reports, and the program office has not planned for the issuance\n           of annual interim test reports during extended developmental testing. As a\n           result, without effective management and oversight of development\n           testing, the $4.86 billion program is at risk of repeating problems\n           previously identified during program recertification, which included\n           inadequate management of requirements, insufficient oversight of system\n           development, and lack of meaningful metrics.\n\nSpace Based Infrared System Program Recertification\n    Space Based Infrared System (SBIRS) High is in the Engineering and\n    Manufacturing Development Phase of the program. Since the contract award in\n    1996, the program has experienced technical difficulties, schedule delays, and\n    cost increases. Because of questionable cost and schedule parameters in the\n    Acquisition Program Baseline, the SBIRS Program Office performed an Estimate\n    at Completion analysis. The analysis disclosed a potential research development\n    test and evaluation cost growth in excess of $2 billion and schedule delays of\n    18-24 months. As a result, the System Program Director reported a likely\n    Nunn-McCurdy Breach. On December 31, 2001, the Secretary of the Air Force\n    notified Congress that the SBIRS High program had a Nunn-McCurdy cost\n    breach. Because the breach involved a program acquisition cost unit above the\n    25 percent threshold for SBIRS High, the Defense Acquisition Executive was\n    required to certify to Congress that the program is essential to national security,\n    there are no alternatives that provide the same capability at less cost, new costs\n    are reasonable, and program management is adequate to control costs.\n\n    In order to provide necessary information for program recertification, the Under\n    Secretary of Defense for Acquisition, Technology, and Logistics performed\n    program reviews between the period of December 2001 and April 2002. Part of\n    those reviews included an assessment of the program by an Independent Review\n    Team (IRT). The IRT identified a number of deficiencies in the program, such as\n    improper control mechanisms for the management of requirements;\n    circumvention of responsibilities while the total system performance\n    responsibility clause was in place, and the lack of meaningful metrics for\n    determining technical progress.\n\n\n                                         4\n\x0c    The IRT proposed recommendations correcting the deficiencies. (IRT Summary),\n    (IRT pg 33-40) At the same time, the Under Secretary of the Air Force also\n    directed the program office to remove the total system performance responsibility\n    clause from the contract. The program manager removed the clause.\n\n    The Defense Acquisition Executive completed the Nunn-McCurdy certification\n    activities and an acquisition decision memorandum documenting certification also\n    directed a revised acquisition strategy be approved by the end of August 2002.\n    Approval of the revised acquisition strategy included the implementation of the\n    IRT recommendations.\n\n\nRequirements for Management Oversight of Development\n  Testing\n    Air Force Instruction 99-101, \xe2\x80\x9cDevelopmental Test and Evaluation,\xe2\x80\x9d\n    November 1, 1996. Air Force Instruction (AFI) 99-101 provides mandatory\n    procedures for the management of development test and evaluation programs on\n    systems, subsystems, and components and it describes planning, conducting, and\n    reporting cost-effective development test and evaluation to support acquisition\n    and sustainment program decisions and actions throughout a system\xe2\x80\x99s life cycle.\n    AFI 99-101 requires that all acquisition programs, with the exception of programs\n    in production that have met all of their user requirements, require a System\n    Maturity Matrix (SMM). The SMM is an acquisition management tool used to\n    aid in tracking a program\xe2\x80\x99s technical progress and risk. SMM links user\n    requirements, allocated requirements, and system specifications to expected test\n    results to be achieved over time and provides critical technical and operational\n    characteristics that will be assessed at major decisions or event milestones. The\n    instruction states that the greater reliance on contractors for testing, the greater the\n    need for knowledgeable government officials, and that the system manager along\n    with the responsible test organization will approve all test plans and reports and\n    will oversee contractor testing. In addition, the instruction states that when a\n    program has an extended test phase, the instruction requires that the responsible\n    test organization provide annual interim test reports.\n\n    Air Force Manual 99-113, \xe2\x80\x9cSpace Systems Test and Evaluation Process\n    Direction And Methodology for Space System Testing,\xe2\x80\x9d May 1, 1996. Air\n    Force Manual 99-113 provides the Space Systems Test and Evaluation Process\n    for use by program mangers, test engineers, test organization personnel, major\n    command headquarters staffs, and others regardless of command level, involved\n    in Space Systems Test and Evaluation. Nonuse of the process is by exception\n    only. The process includes the use of an SMM. The manual states that during\n    test definition the SMM should be a primary reference for understanding what the\n    expected capabilities and levels of performance of the system are to be at the time\n    of the test, and that during tracking and reporting of cumulative test results the\n    tester should relate test objectives to documented user requirements and SMM\n    interim values. The manual requires that in order to measure system progress\n    toward meeting user needs, test program results shall provide a clear picture of\n    system maturity toward meeting the user\xe2\x80\x99s documented requirements and that\n\n\n                                           5\n\x0c     decision makers need test results to determine whether to grant programs\n     approval to proceed through each milestone. The manual also states that an\n     annual test process summary is to be generated by the program office, which will\n     record all Development Test and Evaluation and Operational Test and Evaluation\n     accomplished, key test process decisions, test and evaluation deficiencies, and\n     identified risk areas. This document can be included in the annual interim test\n     report.\n\n\nTracking Technical Progress of User and System\n  Requirements to Test Results and Effectivity Milestones\n     The program office has not implemented effective requirement flow control by\n     tracking development of the SBIRS High ground segment software as it relates to\n     user requirements, and by tracking technical progress of user and system\n     requirements to test results and effectivity milestones. In particular, the program\n     office does not have a SMM or an equivalent tool. Such a tool would permit the\n     program manager to link user requirements and system specifications to ground\n     segment software requirements test results, and permit the program manager to\n     track the technical progress of requirements by mapping ground segment software\n     requirements to software increments, and high component specifications to\n     effectivity milestones. In addition, the SMM would allow the program manager\n     to trace back test results from software and system tests to user requirements.\n\n     Requirements Process. SBIRS High user requirements flow down to SBIRS\n     High component specifications, then to ground segment requirements, and finally\n     to software requirement specifications. The Systems Engineering Integration\n     Team (SEIT) maintains traceability of high component specifications to ground\n     segment requirements in the Modified Design Compliance Matrix. The Modified\n     Design Compliance Matrix provides the basis for the Requirements Verification\n     Ledger. The Requirements Verification Ledger identifies each high component\n     specification requirement to be verified during testing as well as the approach,\n     method, criteria, and status. The ground segment Integrated Product Team (IPT)\n     maintains traceability of ground segment requirements to software requirement\n     specifications in the ground segment design document. The ground segment\n     software IPTs use the Requirements Traceability and Management tool for\n     documenting requirements, traceability, and test verification. Part of the\n     Requirements Traceability Management tool is the Requirement Verification\n     Planning tool, which contains the verification method, approach, and a\n     completeness check for each requirement. SEIT personnel are involved in final\n     Ground Segment level tests to ensure that the Ground Segment is ready for site\n     installation and system level test.\n\n     Tracking Requirements to Test Results. The ground segment test report\n     documents test results for ground segment software testing. The test results are\n     mapped to ground segment requirements. The SEIT uses those results in order to\n     determine if the ground segment is ready for integration and system level testing.\n     Before a software increment undergoes ground segment testing, it is developed\n\n\n\n                                          6\n\x0c     and tested by code and unit test, development integration test, component\n     integration test and ground segment design document verification test. Each of\n     those activities progressively verifies that the software meets the design, performs\n     correctly, and integrates successfully with other hardware and software\n     components. The program manager does not have a tool which would link\n     software requirements tested back to high component specifications or user\n     requirements and permit analysis of software maturity and development progress.\n\n     Tracking Requirements to Effectivity Milestones. SBIRS High is currently in\n     Engineering and Manufacturing Development Phase. Delivery of ground\n     software is in blocks, with each block increasing mission utility. During our\n     evaluation, we reviewed two blocks: the Highly Elliptical Orbit Intersegment\n     Test and Early On-Orbit Test. Deliveries of incremental system capability called\n     effectivity, include ground and space segments. Effectivity indicates a level of\n     system design maturity and represents a decision point to continued system\n     development. There are 10 effectivities for SBIRS High. During our evaluation,\n     we were unable to identify a tool that would allow the program manager to link\n     user requirements to ground segment requirement test results, map high\n     component specifications to effectivities, and map ground segment requirements\n     to a specific software block. In the course of our evaluation, the program office\n     informed us that the SEIT was in the process of developing a method of tracing\n     high component specifications to effectivities.\n\n     During program recertification, the IRT recommended a block acquisition\n     approach to ensure requirements satisfaction as well as implementing disciplined\n     processes with meaningful metrics. Actions taken by the program office to\n     implement those recommendations have not included an SMM or a similar tool.\n     Without the SMM, there still exists inadequate management of requirements since\n     the program manager is unable to track the technical progress of user and system\n     requirements to test results, software blocks, and effectivity milestones.\n     Specifically the program manager is unable to trace user requirements to ground\n     segment verification test results, map ground segment requirements to software\n     blocks, map high component specifications to effectivities and perform crucial\n     analysis for determining software and system maturity.\n\n\nApproval Responsibility for Critical Test Plans and Reports\n     The program office has not assumed responsibility for approving all critical\n     development test plans and reports. The program office is a participant in IPTs\n     and SEIT. Both are responsible for reviewing plans, implementation, and results\n     for many critical test activities. The program office relies on contractor\n     representatives to sign off on numerous test results used to support program\n     management decisions, thereby passing on oversight responsibility to the\n     contractor. In particular, the government does not sign off on ground segment test\n     plans and reports, and does not sign off on the subsequent SBIRS system tests for\n     intersegment compatibility and initial telemetry tracking and commanding, and\n     payload interface. Signing off on a test plan or test result indicates that the\n\n\n\n                                          7\n\x0csoftware or system is ready to continue to the next major integration and test\nevent.\n\nApproval Process. SBIRS software IPTs define software builds, test plans, and\nschedules for ground segment software. The IPT represents all software\ndisciplines: management, systems engineering, specialty engineering, software\nconfiguration management, software quality assurance, test, and software\ndevelopment. IPT membership also includes a government representative.\nDuring ground segment development, the government representative is a\nparticipant in the ground segment IPT, which designs, tests, and verifies ground\nsegment software. In addition to normal IPT functions, the government\nrepresentative also attends management meetings, engineering review and change\ncontrol board meetings, and other relevant working groups and reviews. If the\ngovernment representative has an unresolved issue with the IPT, he or she notifies\nthe program office.\n\nThe SEIT, a contractor organization, is responsible for system development test\nand evaluation and maintains oversight of ground segment activities to assess its\nreadiness to participate in system level tests. The SEIT test team consists of\nmembers of the High Orbit Space Vehicle IPT, ground segment IPT, test staff,\nand participating government organizations. The SEIT Test Director with the\nsupport of the SEIT test team is responsible for planning, conducting, and\nreporting the system level tests. The SEIT is also the sign off approval authority\nfor ground segment requirement verification tests. Ground segment verification\ntests are critical because they ensure that ground segment software is ready for\nintegration and test at the SBIRS system level.\n\nCritical Tests. System test, which includes the space and ground segment, is the\nincremental process that ensures intersegment interface compatibility and system\noperational capability. System level tests use a building block approach.\nCompletion of system level tests demonstrates segment interface compatibility,\nfunctionality, external element interoperability, and overall operational readiness.\nCritical system tests include intersegment compatibility, telemetry, tracking, and\ncommanding, and payload interface functional test, pre-deployment readiness,\nlaunch base compatibility, post-deployment initial test, post-deployment\nintegration and calibrations and combined development test/operational test. For\npre-deployment readiness and launch base compatibility tests, the government is\nthe final approval authority. For post-deployment initial test and post-deployment\nintegration and calibration events, the government participates in test readiness\nreviews and test exit reviews. For intersegment compatibility, telemetry,\ntracking, and commanding, and payload interface functional tests the SEIT is the\nsign approval authority.\n\nDuring our review of SBIRS system test reports for telemetry, tracking, and\ncommanding, and payload interface, we found that test results addressed SBIRS\nHigh ground requirements, instead of high component specifications as required\nby the SBIRS Program Verification Plan, and that deficiencies generated did not\nhave dispositions as required by SBIRS System Test Plan. We believe that with\ngovernment approval authority, the test report would have more accurately\ndocumented what the test plans required.\n\n\n\n                                     8\n\x0c    Contractor Reliance. Even though the total system performance responsibility\n    clause was removed from the contract, the program office is dependent upon\n    contractor IPTs and SEIT for determining the adequacy of development test\n    planning and test results. Furthermore, during program recertification one of the\n    primary reasons for removing the clause was that the IRT identified\n    circumvention of roles and responsibilities as a significant cause for past\n    difficulties. With the reliance on contractor testing as well as the delegation of\n    testing approval to the contractor, there is the risk that development testing will\n    not provide an adequate assessment of software and system technical progress. In\n    particular, AFI 99-101 states that there is a need for knowledgeable government\n    officials to oversee testing and approve contractor test plans and reports. For\n    SBIRS, oversight and approval of contractor test plans and reports should include\n    all critical ground segment, space segment, and SBIRS system tests such as\n    ground segment verification, intersegment compatibility, telemetry, tracking, and\n    commanding, and payload interface.\n\nExtended Development Testing Annual Interim Test Report\n    The program office has not established a meaningful metric for managing\n    program\xe2\x80\x99s progress by establishing the requirement for annually reporting the\n    extended developmental testing. The purpose of the annual interim test report is\n    to document development and operational test accomplished, key test process\n    decisions, test deficiencies, and identified risk areas. AFI 99-101 requires an\n    annual interim test report when a program has an extended developmental test and\n    evaluation period. SBIRS High Increment 2 has an extended developmental test\n    and evaluation period with the intent of testing payload/satellite flight operations\n    support activities after completion of space system tests for follow-on early orbit\n    and payload calibration. Program documents such as the Single Acquisition\n    Management Plan, Test and Evaluation Master Plan, and Integrated Test and\n    Evaluation Plan do not call for an annual interim test report during extended\n    developmental testing. Without the annual interim test report the program\n    manager lacks a meaningful metric for assessing and reporting the progress of\n    development testing.\n\n    Extended Developmental Testing. SBIRS High Increment 2 schedule identified\n    extended developmental test and evaluation being performed from FY 2004 to\n    FY 2008. The Combined Task Force along with supporting contractors will be\n    conducting the tests. SBIRS High extended developmental tests include testing\n    the interim mission control station backup and the mission control station, and\n    ground segment checkout, launch, on-orbit test, and interim operations of Highly\n    Elliptical Orbit and Geostationary Earth Orbit satellite payloads. Results of those\n    tests support the assessment of SBIRS High capabilities, the decision to proceed\n    with development of the next ground software increment, and the transitioning of\n    developmental testing to operational testing.\n\n    Annual Interim Test Report. During program recertification, the IRT found\n    that the program office lacked meaningful metrics to assess program progress and\n    that the program office had overly optimistic assumptions in the area of software\n    development, which led to unrealistic schedules. In order to address those issues,\n\n\n\n                                         9\n\x0c    the program office established metrics for measuring program executability and\n    implemented an incremental delivery approach for ground software.\n    Establishment of the Combined Task Force and extended developmental testing\n    supports incremental ground software deliveries and block deliveries of SBIRS\n    system capabilities. Nevertheless, the program office stated that there is no plan\n    to annually report the results, deficiencies, and risks identified by the Combined\n    Task Force during extended developmental testing. Such reporting to some\n    extent would address the identified IRT deficiency. In particular, an annual\n    interim test report would provide the program manager meaningful metrics for\n    measuring progress of development tests as well as providing important\n    information for key management decisions.\n\n\nConclusion\n    Improved management and oversight of the SBIRS High is needed to reduce the\n    risk of repeating problems previously identified during program recertification.\n    During program recertification, the IRT identified deficiencies and corrective\n    actions. Even though programmatic and contract changes have been\n    implemented, the program office has not implemented effective requirement flow\n    control by tracking the technical progress of requirements, assuming\n    responsibility for approving all critical test plans and reports, and establishing a\n    metric for annually reporting extended developmental testing. First, the program\n    office should implement an SMM or similar tool for tracking the technical\n    progress of user and system requirements to test results and effectivity milestones.\n    Next, the program office should assume sign off responsibility for all critical test\n    plans and reports so that development tests and results will provide adequate\n    information for tracking technical progress and supporting program management\n    decisions. Finally, the program office should provide to key decision makers an\n    annual interim test report documenting extended developmental testing.\n\n\nRecommendations, Management Comments, and Evaluation\n  Response\n    A. We recommend that the System Program Director, Space Based Infrared\n    System, Space and Missile Systems Center:\n\n            1. Implement a System Maturity Matrix, as required by Air Force\n    Instruction 99-101, \xe2\x80\x9cDevelopmental Test And Evaluation,\xe2\x80\x9d November 1,\n    1996, for tracking the system technical progress and maturity, by mapping\n    user requirements and high component system specifications to ground\n    segment software blocks, ground and space segment verification tests, system\n    tests and effectivity milestones.\n\n    Management Comments. The System Program Director, SBIRS, Space and\n    Missile Systems Center concurred, and agreed to develop an SMM that will\n    include mapping requirements to effectivities.\n\n\n                                        10\n\x0cEvaluation Response. The System Program Director comment is responsive.\nWe believe that having the SMM map requirements to effectivities, software\nblocks and test results will be an effective tool in implementing and managing the\ndelivery of system blocks. We request that the System Program Director provide\ndetailed information on how the SMM will track requirements to effectivities and\ntest results.\n\n       2. Approve all critical test plans and reports as required by Air Force\nInstruction 99-101, \xe2\x80\x9cDevelopmental Test And Evaluation,\xe2\x80\x9d November 1,\n1996, by:\n\n              a. Assume sign off authority responsibility for all ground\nsegment, space segment, and system critical test plans and reports. Critical\ntest plans and reports include ground segment verification, intersegment\ncompatibility, telemetry tracking and commanding, and payload interface\ntests.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center partially concurred. The System Program Director stated\nthat they approve all critical system test plans and reports and that they have the\nauthority to approve or disapprove test plans that merit their decision. The\nSystem Program Director also stated that along with their federally funded\nresearch and development center, they are involved in all critical system and\nsegment level tests.\n\nEvaluation Response. Although the System Program Director partially\nconcurred, we consider the comments responsive. We based our analysis on the\nIntegrated Master Plan and review of test plans and reports. We determined that\nnot all critical ground segment, space segment, and SBIRS system tests such as\nground segment verification, intersegment compatibility, telemetry, tracking, and\ncommanding, and payload interface require government sign off authority. We\nalso found that test reports for telemetry, tracking, and commanding, and payload\ninterface, which do not require government sign off, did not meet requirements\nstated in the program verification plan. We request that the System Program\nDirector provide detailed information on the government approval process for the\ncritical test plans and reports we identified that did not require government\napproval. We also request that the System Program Director state if the\ndeficiencies we identified in the test reports for telemetry, tracking and,\ncommanding, and payload interface have been corrected.\n\n               b. Update the Test and Evaluation Management Plan to\nspecify that the program office is the sign off authority for all critical ground\nsegment, space segment and system test plans and reports.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center concurred. The System Program Director stated that the\nTest and Evaluation Master Plan update is in progress and will reflect changes\nstated in management comments in response to recommendation A.2.a.\n\n\n\n\n                                    11\n\x0c       3. Develop and implement procedures for the issuance to key\nprogram decision makers an annual interim test report during extended\ndevelopmental testing as required by Air Force Instruction 99-101,\n\xe2\x80\x9cDevelopmental Test And Evaluation,\xe2\x80\x9d November 1, 1996. The test report\nshould include analysis of developmental and operational tests accomplished,\nkey test process decisions, test deficiencies, and identified risk areas.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center concurred. The System Program Director stated use of\nthe annual interim test report will help in the efforts to restore full government\nauthority and accountability for SBIRS High.\n\n\n\n\n                                     12\n\x0c            B. Interim Highly Elliptical Orbit\n            Capability Temporary Authority to\n            Operate\n            An Interim Authority To Operate (IATO) dated November 4, 2002, was\n            inappropriately issued by the Designated Approval Authority for the\n            Interim Highly Elliptical Orbit Capability (IHC). In addition, the Space\n            Based Infrared System (SBIRS) Program Office plans to improperly issue\n            a yearly IATO until initial operational capability scheduled in FY 2010.\n            Issuance of the IATO was not in accordance with the Department of\n            Defense Information Technology Security Certification and Accreditation\n            Process. Specifically, during system validation the Certifying Authority\n            (CA) did not ensure that the system security requirements were met by\n            completing critical security tests and the Designated Approval Authority\n            (DAA) did not make certain that validation tasks were complete before\n            issuance of the IATO. Furthermore, the re-accreditation requirement in\n            the System Security Authorization Agreement (SSAA) incorrectly makes\n            use of the IATO to annually allow the IHC to operate. As a result, by not\n            validating the correct implementation and operation of system security\n            features, which affect system availability, integrity, authentication,\n            confidentiality, the correctness of IHC test data is in doubt and the\n            capability of IHC to test, assess, and support SBIRS is questionable.\n\n\nInformation Assurance for Interim Highly Elliptical Orbit\n   Capability\n     Information Assurance is information operations that protect and defend\n     information systems by ensuring their availability, integrity, authentication,\n     confidentiality, and non-repudiation. It includes providing for the restoration of\n     information systems by incorporating protection, detection, and reaction\n     capabilities. An information system can be any computer related equipment or\n     interconnected system or subsystems of equipment that is used in the acquisition,\n     storage, manipulation, management, movement, control, display, reception of\n     voice and or data, and includes software, firmware, and hardware.\n\n     Interim Highly Elliptical Orbit Capability Systems. The IHC is a stand-alone\n     ground segment information system that supports the launch, early on-orbit tests,\n     and analysis mode processing of the SBIRS Highly Elliptical Orbit Infrared\n     Payload. The IHC consists of four subsystems and a connecting network. The\n     four subsystems are the Interim Highly Elliptical Orbit Test Center, the Mission\n     Control Station Technical Intelligence Center, the SBIRS Anomaly Resolution\n     Center, and the Relay Ground Station. All of which have software, firmware, and\n     hardware. The interim test center serves as the IHC control center and provides\n     the mission control station capabilities. The technical intelligence center provides\n     analysis support for missile warning. The anomaly resolution center enhances\n\n\n\n                                         13\n\x0c     telemetry, tracking, and command between the ground system and payload\n     personnel by providing a more rapid response and integrated effort. The relay\n     ground station provides the interface and archive capability between the ground\n     station and the interim test center.\n\n     Availability, Integrity, Authentication, and Confidentiality. For the IHC,\n     protection of system availability, integrity, authentication, and confidentiality are\n     essential. More over, if controls were not in place to ensure availability, integrity,\n     authentication, and confidentiality of the IHC, its resources, and data, there would\n     be uncertainty that tests performed by the IHC as well as test results were correct.\n\n     Availability is the timely and reliable access to data and information services for\n     authorized users. The IHC needs to be timely and reliable in order to perform\n     mission planning, mission management, mission processing, and control of space\n     and ground segment hardware and software.\n\n     Integrity is the condition existing when data is unchanged from its source and has\n     not been accidentally or maliciously modified, altered, or destroyed. IHC data\n     includes sensor, telemetry, mission planning, mission scheduling, ground and\n     space segment control, archive and system administration. All IHC data needs to\n     be accurate and unchanged. If data is incorrect, the IHC will not be able to\n     perform any of its tasks such as providing reliable control of satellites, accurately\n     processing mission data, and correctly managing and controlling IHC hardware\n     and software.\n\n     Authentication is a security measure designed to establish the validity of a\n     transmission, message, user or system or a means of verifying an individual\xe2\x80\x99s\n     authorization to receive specific categories of information. IHC authentication\n     separates users into four categories: system level, configuration management,\n     database management, and application operation. If IHC authentication did not\n     provide adequate separation of user access to system resources, a user could\n     unintentionally or maliciously affect IHC availability, integrity, authentication,\n     and confidentiality.\n\n     Confidentiality is an assurance that information is not disclosed to unauthorized\n     persons, processes, or devices. The IHC processes data up to the DoD Secret\n     level and is required to operate in the high mode, which is defined as all users of\n     the system having the appropriate clearance to system information but not all\n     users having the need to know for all information. Confidentiality is required to\n     restrict who or what can access need to know information and system resources as\n     well as determining what type of access is permitted.\n\n\nSystem Security Certification and Accreditation Requirements\n  for Interim Highly Elliptical Orbit Capability\n     DoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology\n     Security Certification and Accreditation Process Instruction (DITSCAP),\xe2\x80\x9d\n\n\n\n                                          14\n\x0c     December 30, 1997. DITSCAP defines a process that standardizes the activities\n     leading to system security accreditation, and applies to the acquisition, operation,\n     and sustainment of any DoD system that collects stores, transmits, or processes\n     unclassified or classified information. The SBIRS Program Office is required to\n     use DITSCAP for the IHC. The DITSCAP process consists of four phases:\n     Phase 1, Definition; Phase 2, Verification; Phase 3, Validation; and Phase 4, Post\n     Accreditation. Information collected during Phase 1 is used to determine the\n     certification level of the system, which in turn determines the level of effort\n     required. Phase 2 is to verify system compliance with security requirements and\n     evaluate vulnerabilities. Phase 3 is used to validate that the fully integrated\n     system operates in a specified computing environment with an acceptable level of\n     risk. Completion of Phase 3 culminates in the accreditation of the system.\n     Phase 4 is used to manage and operate the system while preserving an acceptable\n     level of residual risk. During Phase 3 if a system does not meet requirements, but\n     mission criticality mandates that the system become operational, a temporary\n     approval may be issued. If a temporary approval is used, the system is required to\n     return to Phase 1 activities to negotiate accepted solutions, schedule, necessary\n     security actions, and milestones.\n\n     DoD 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology and\n     Security Certification and Accreditation Process (DITSCAP) Application\n     Manual,\xe2\x80\x9d July 31, 2000. This manual supports DITSCAP by presenting a\n     detailed approach to the activities comprising the certification and accreditation\n     process as well as the content of SSAA. Chapter 3, Phase 1 definition provides a\n     task description on how to determine the appropriate certification level of a\n     system. The certification level of a system determines the level of analysis\n     required for the certification and accreditation process for all four phases.\n     Chapter 5, Phase 3 validation provides a task description on ensuring that\n     requirements and agreements apply, certifying that the fully integrated and\n     operational system comply with stated requirements and during certification\n     performing tests and evaluations to validate all security features are in place. At\n     the completion of Phase 3, if the CA concludes that the system satisfies security\n     requirements, the CA recommends that the DAA accredit the system. If the CA\n     uncovers deficiencies but believes that short-term operation of the system is\n     within acceptable bounds, the CA may recommend to the DAA an IATO. The\n     DAA then reviews the CA\xe2\x80\x99s recommendation and determines whether to accredit\n     the system or not. If the DAA determines that the system does not meet\n     requirements but mission criticality mandates that the system become operational,\n     the DAA may issue an IATO.\n\n\nBasis Used for the Interim Authority to Operate\n     On November 4, 2002, the DAA issued an IATO for the IHC. In addition, the\n     SBIRS Program Office plans to issue a yearly IHC IATO until initial operational\n     capability scheduled in FY 2010. Before issuance of IATO, the IHC SSAA dated\n     May 2002 documented that the security test and evaluation certification test was\n     incomplete, and that penetration testing certification test was not done.\n     Furthermore, the IHC SSAA re-accreditation requirement states \xe2\x80\x9cIHC elements\n\n\n                                         15\n\x0cwill be receiving IATO accreditations on a yearly basis and full accreditation after\noperational initial operational capability,\xe2\x80\x9d thereby possibly avoiding further IHC\nsecurity test and evaluation and penetration testing.\n\nSystem Security Requirements. The IHC SSAA is the IHC certification and\naccreditation package and generally follows the SSAA format required by\nDITSCAP. The SSAA is a formal agreement among the DAA, CA, user\nrepresentative, and program manager. The SSAA is required to document the\nDITSCAP process used for certifying and accrediting the system. DoD 8510.1-M\nprovides an outline on what is required in SSAA. It requires SSAA to contain\nsections, which identify system security and re-accreditation requirements, and\ncalculate a system certification level.\n\nIHC SSAA states that there are system security requirements for data, files,\noperating systems, applications, databases, and networks and that system\ncertification Level is 3. The SSAA security requirement section states that IHC\noperating systems meet Class 2 criteria. Class 2 criteria include unique user\nlogon Ids and passwords, auditing and accountability of users and processes, and\naccess controls for the protection of object reuse. IHC operating systems achieve\nClass 2 requirements by implementing the following system security\nrequirements: identification and authentication for all system users, assurance\nmeasures such as encryption, security countermeasures, and auditing, and access\ncontrols for files, operating systems, applications, and databases. Also included\nin the SSAA security requirement section are tools for managing network\nsecurity, which are the Simple Network Management Protocol, Enterprise\nSecurity Management, and the Unix Privilege Manager. The SSAA security\nrequirement section states that IHC elements will be receiving IATO\naccreditations on a yearly basis and full accreditation after operational initial\noperational capability.\n\nLevel of Effort. Along with the security requirements, the DITSCAP\nApplication Manual also requires attachments to the SSAA. A few of the\nrequired appendixes are the Security Test and Evaluation Plan and Procedures,\nthe Test and Evaluation Reports, the Residual Risk Assessment Results, and the\nCertification and Accreditation Statement. The Security Test Plans and Test\nEvaluation Reports verify and validate that the system security requirements have\nbeen met; the Residual Risk Assessment analyzes threats and the vulnerability of\nthe information system to those threats; and the Certification and Accreditation\nStatement is the DAA approval to operate the system. Along with those required\nappendixes, the IHC SSAA also includes Minimal Security Activity Checklists\nand the Network Vulnerability Assessment. The Minimal Security Activity\nChecklist documents analysis and work performed on the system and the Network\nVulnerability Assessment assesses the adequacy of security measures for the\nnetwork.\n\nThe IHC SSAA appendixes do document the level of effort performed by the\ncontractor during the certification and accreditation process. The Security Test\nand Evaluation appendix states \xe2\x80\x9cdue to IHC network maturity level on 1 April\n2002, this report is postponed as such time, as the IHC network is ready for full\nsecurity test and evaluation;\xe2\x80\x9d and the Residual Risk Assessment appendix states\n\xe2\x80\x9cAir Force Operational Test and Evaluation Center has been contacted about\n\n\n                                    16\n\x0c    doing an Air Force penetration assessment.\xe2\x80\x9d The Minimal Security Activity\n    Checklist, Task 3-1 and 3-2 state \xe2\x80\x9csecurity test and evaluation have not been\n    performed and there has not been a penetration test assessment.\xe2\x80\x9d The Network\n    Vulnerability Assessment appendix states, \xe2\x80\x9cvulnerability assessment of the IHC\n    network is under review by government for applicability.\xe2\x80\x9d Lastly, the\n    Certification and Accreditation Statement appendix includes an IATO for the IHC\n    dated November 4, 2002, which permits the IHC to operate for a 12-month period\n    while security verification testing is being performed.\n\n    All of the appendixes in the IHC SSAA indicate that during the 12-month period\n    while the IHC is being used for SBIRS High early on-orbit development testing,\n    system security requirements, such as Class 2 criterion, and network management\n    tools will not be validated. Without validation, there will be doubt on the\n    protection of IHC availability, integrity, authentication, and confidentiality.\n\nRemaining Requirements for Interim Authority to Operate\n  Issuance\n\n    The IHC CA did not ensure that system security requirements were met by\n    completing system security test and evaluation, penetration testing and the DAA\n    did not make certain validation tasks were complete before issuance of the IATO.\n    Furthermore, the IATO re-accreditation requirement in the IHC SSAA incorrectly\n    makes use of the IATO to annually allow the IHC to operate. For IHC a Level 3\n    system, security functions must be tested to verify the integration and operation of\n    all security features. Security test and evaluation must validate the correct\n    implementation of identification and authentication, audit capabilities, access\n    controls, object reuse, trusted recovery, discretionary access controls and network\n    connection rule compliance. Penetration testing must include insider and outsider\n    penetration attempts based on known vulnerabilities and the implemented system\n    must be tested for flaws, with the results described to an appropriate level for the\n    exploitation.\n\n    DoD Instruction 5200.40 and DoD 8510.1-M define the process required for\n    certification and accreditation as well as the issuance of an IATO. During the\n    DITSCAP definition phase, the CA determines the appropriate certification level\n    of the system and during the validation phase the CA ensures that all security\n    requirements are met by making sure all required security testing is complete. At\n    the completion of the validation phase, the CA provides an accreditation\n    recommendation to the DAA. If the DAA determines that the system does not\n    meet requirements but mission criticality mandates that the system become\n    operational, the DAA may then issue an IATO.\n\n    The CA has determined that the IHC certification Level is 3. However, the\n    appendixes, which contain the security test and evaluation report, penetration\n    testing, minimal security activity checklist and network vulnerability assessment,\n    do not document completion of required Level 3 security testing. The CA should\n    have ensured that security testing was complete before submitting a\n\n\n\n                                        17\n\x0c    recommendation to the DAA and the DAA should have reviewed the SSAA and\n    verified that all required testing was complete before issuance of the IATO. By\n    verifying completion of required testing the DAA would have been certain that\n    IHC system security requirements, such as Class 2 criterion, network security\n    were correct. Furthermore, the SSAA re-accreditation requirement states that the\n    SBIRS Program Office plans to issue an annual IATO for IHC until initial\n    operational capability, scheduled for FY 2010. Such a requirement may\n    circumvent security tests required to validate security requirements until initial\n    operational capability.\n\n\nConclusion\n    By not validating the correct implementation and operation of system and\n    network security features, which affect system availability, integrity,\n    authentication, confidentiality, the correctness of IHC test data is in doubt and the\n    capability of IHC to accurately test, assess and support SBIRS High system is\n    questionable. DITSCAP requires validation of system security and network\n    security features and for a Level 3 or higher system a security test and evaluation\n    and penetration test before system accreditation or issuance of an IATO. The\n    DAA has granted IHC an IATO for a 12-month period while it is supporting\n    development testing of SBIRS High early on-orbit tests. However, the DAA\xe2\x80\x99s\n    decision to issue an IATO did not follow DITSCAP because IHC SSAA shows\n    that the system is at Level 3, and security test and evaluation and penetration test\n    are incomplete. In addition, IHC SSAA states that the program office plans to\n    issue an annual IATO until initial operational capability scheduled for FY 2010.\n    The CA should ensure all IHC validation tasks, which include security test and\n    evaluation and penetration test are complete. The DAA should then accredit IHC,\n    withhold accreditation, or issue an IATO. Also, the Program Director should\n    remove the reaccreditation requirement for an annual IHC IATO from the SSAA\n    and plan to have IHC achieve full accreditation within the next 12 months.\n\n\nRecommendations, Management Comments, and Evaluation\n  Response\n    B.1. We recommend that the Interim Highly Elliptical Orbit Capability\n    Certifying Authority:\n\n           a. Complete all validation tasks, which include security test and\n    evaluation and penetration test for the Interim Highly Elliptical Orbit\n    Capability.\n\n          b. Document test results in the Interim Highly Elliptical Orbit\n    Capability System Security Authorization Agreement.\n\n\n\n\n                                         18\n\x0c       c. Provide recommendation to the Interim Highly Elliptical Orbit\nCapability Designated Approval Authority whether to accredit, withhold\naccreditation or issue an Interim Authority to Operate.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center concurred. The System Program Director stated that\ndetailed DITSCAP Phase III security testing is scheduled to be complete in\nDecember 2003.\n\nEvaluation Response. The System Program Director comments were\nresponsive. We request that the System Program Director provide us the updated\nIHC \xe2\x80\x93 now known as the Interim Test Center, SSAA that contains a summary of\nthe security test results once the tests are complete.\n\nB.2. We recommend that the Interim Highly Elliptical Orbit Capability\nDesignated Approval Authority:\n\n      a. Verify all certification tasks, which include security testing are\ncomplete.\n\n       b. Accredit, withhold accreditation, or issue an Interim Authority to\nOperate for the Interim Highly Elliptical Orbit Capability based on\nCertifying Authority recommendation, certification task findings, and\nSystem Security Authorization Agreement documents.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center concurred.\n\nB.3. We recommend that the System Program Director, Space Based\nInfrared System, Space and Missile Systems Center:\n\n       a. Remove the annual Interim Authority to Operate re-accreditation\nrequirement from the Interim Highly Elliptical Orbit Capability System\nSecurity Authorization Agreement.\n\n       b. Plan to have the Interim Highly Elliptical Orbit Capability\nachieve full accreditation within the next 12 months.\n\n      c. Document the plan in the Interim Highly Elliptical Orbit\nCapability System Security Authorization Agreement.\n\nManagement Comments. The System Program Director, SBIRS, Space and\nMissile Systems Center partially concurred. The System Program Director stated\nthat they agree to remove the IHC \xe2\x80\x93 now known as the Interim Test Center,\nannual IATO re-accreditation requirement but they chose to use the IATO as a\nviable alternative during system maturation.\n\nEvaluation Response. Although the System Program Director partially\nconcurred, we consider the comments responsive. We chose a 12\xe2\x80\x93month time\nperiod for the IHC\xe2\x80\x93 now known as the Interim Test Center, to achieve full\n\n\n                                  19\n\x0caccreditation based on the IATO provided by the program office. We\nacknowledge that achieving full accreditation during system maturation is\ndifficult. We also believe that proper use of an IATO does provide a level of\nassurance that the Interim Test Center is performing correctly. We request that\nthe System Program Director provide the updated Interim Test Center SSAA that\ndocuments the plan to achieve final accreditation.\n\n\n\n\n                                   20\n\x0cAppendix A. Scope and Methodology\n   To accomplish our evaluation objective, we examined development testing of\n   SBIRS mission-critical software, which included planning, execution, and\n   reporting. We reviewed system level testing. We reviewed information\n   assurance testing, interface and interoperability testing, certification and\n   accreditation and computer test resources.\n\n   We reviewed the organizational structure, software development process, and\n   software development testing of SBIRS High Increment 2 ground segment. We\n   reviewed portions of the current SBIRS High Component \xe2\x80\x93 Engineering\n   Manufacturing Development Program Contract and a section of the original\n   contract, which described Total System Performance Responsibility. We\n   obtained and reviewed the SBIRS Single Acquisition Management Plan, Test and\n   Evaluation Master Plan, Integrated Master Plan, Integrated Test and Evaluation\n   Plan, Program Verification Plan, System Test Plan, and the Ground Segment Test\n   Plans. We reviewed the System Protection Guide, Computer Security Plan, the\n   System Security Authorization Agreement, and other certification and\n   accreditation documents for development test information systems. We reviewed\n   the Command, Control, Communications, Computers, and Intelligence Support\n   Plan and Interface Control Plans. We reviewed requirement documents,\n   including the Operational Requirements Document, the SBIRS High Component\n   Specification and trace documents pertaining to the Ground Segment Design\n   Documents. We reviewed deficiency reports, as well as the corrective action\n   process. We obtained and reviewed test reports for the two software domains we\n   examined.\n\n   We selected two software domains in SBIRS that contain mission-critical\n   software for our evaluation. The first domain we selected was the Telemetry,\n   Tracking, and Commanding domain within Highly Elliptical Orbit Intersegment\n   Test, which had already completed the software development lifecycle. The\n   second domain we selected was the Highly Elliptical Orbit Early-On-Orbit Test\n   Mission Processing domain, which was going through the software development\n   lifecycle during our evaluation. We visited the SBIRS Program Office in Los\n   Angeles, California, and the contractor development and test facilities in Boulder,\n   Colorado, and Azusa, California, to verify and validate test process and test\n   results.\n\n   At the test facilities, we observed demonstrations of simulated SBIRS satellite\n   operations and processing simulated satellite sensor exceedance data. We also\n   received a walkthrough of the Mission Processing domain\xe2\x80\x99s system development\n   folders capability, which is used for storage of programs and test results during\n   development test and evaluation.\n\n   Our evaluation reviewed issues concerning development testing and evaluation of\n   the SBIRS mission-critical software. Specifically, we evaluated the completeness\n   and adequacy of the testing to include planning, executing and reporting of two\n   ground-segment software domains: Highly Elliptical Orbit Intersegment\n\n\n\n                                       21\n\x0c    Telemetry, Tracking, and Commanding; and Highly Elliptical Orbit Early-On-\n    Orbit Test Mission Processing. We also reviewed specific areas of SBIRS\n    development testing concerning information assurance, interface, and\n    interoperability testing and computer test resources.\n\n    We performed this evaluation from September 2002 to June 2003 according to\n    standards implemented by the Inspector General of the Department of Defense.\n    We visited or contacted individuals and organizations within DoD, Aerospace\n    Corporation, Lockheed Martin Corporation, and Northrop Grumman Corporation\n    to review software testing.\n\n    Use of Computer-Processed data. We reviewed data contained in management\n    databases such as the Modified Design Compliance Matrix, the Requirements\n    Traceability Matrix, and the Requirements Verification Ledger. We used this\n    data to analyze requirement traceability and satisfaction. The Configuration\n    Control Board manages the Modified Design Compliance Matrix the Requirement\n    Traceability Matrix, and the Requirements Verification Ledger. Our findings are\n    not dependent on the data contained in those databases. Nothing came to our\n    attention because of the procedures that caused us to doubt the reliability of the\n    computer-processed data.\n\n    We did not review the accuracy of the algorithms that process satellite data, as\n    that was beyond the scope of this evaluation.\n\n    General Accounting Office High Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This evaluation report provides\n    coverage of the Defense Systems Modernization high-risk area.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of management controls that provides reasonable assurance that programs\n    are operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of the Review of the Management Control Program. Management\n    control was not an announced objective of this evaluation. However, we\n    reviewed the management control program as it related to the overall evaluation\n    objectives, which included requirements flow control for the tracking of user\n    requirements,system specifications and technical progress to software and system\n    testing; responsible sign off authority for test plans and reports, and a metric used\n    to annually report extended developmental testing (see Finding A). In addition,\n    we reviewed management\xe2\x80\x99s system security certification and accreditation\n    process for the Interim Highly Elliptical Orbit Capability (see Finding B). We\n    reviewed management\xe2\x80\x99s self-evaluation applicable to those controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses at the SBIRS Program Office as defined by DoD Instruction\n\n\n\n                                         22\n\x0c5010.40. The SBIRS Program Manager has not implemented a System Maturity\nMatrix or similar management tool; has not assumed approval responsibility for\nall critical test plans and reports; and has not established the process for issuance\nof annual interim test report metric. The SBIRS Program Manager should\nimplement a System Maturity Matrix or similar management tool for tracking the\ntechnical progress of user and system requirements to test results and effectivity\nmilestones, should be the responsible authority for signing off all critical\ndevelopment test plans and reports, and should establish the metric of issuing\nannual interim test reports during extended developmental testing to key program\ndecision makers.\n\nIf management implements the recommendations, the management control\nweaknesses identified will be corrected. A copy of the report will be provided to\nthe senior official responsible for management controls within the office of the\nAir Force Program Executive Officer for Space.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. On December 31, 2001, the\nSecretary of the Air Force notified Congress that the SBIRS High program had a\nNunn-McCurdy cost breach. The cost breach was a material weakness. In order\nto fulfill Nunn-McCurdy requirements for program recertification, the Under\nSecretary of Defense for Acquisition, Logistics, and Technology conducted\nprogram reviews. These reviews included an evaluation of SBIRS by an IRT.\nThe IRT reported on the root causes of the Nunn-McCurdy cost breach along with\ncorrective actions. IRT corrective actions included establishment of requirements\nflow control, delivering system capabilities in blocks, and the establishment of\nnew meaningful metrics.\n\nAlthough the IRT evaluation identified and reported on the root causes of the\nNunn-McCurdy Breach, the SBIRS Program Office did not completely implement\ncorrections for the material weakness. In particular, SBIRS Program Office did\nnot follow the policies in AFI 99-101 for use of a System Maturity Matrix, the\nprogram office had not assumed responsibility for sign off on all critical test plans\nand reports, and the program office had not established the process for issuance of\nannual interim test reports during extended developmental testing. Without\neffective management and oversight of development testing, SBIRS High is at\nsignificant risk of repeating problems previously identified during program\nrecertification.\n\n\n\n\n                                     23\n\x0cAppendix B. Prior Coverage\n      During the last 5 years, the General Accounting Office (GAO) has issued three\n      reports related to SBIRS High, and three reports were issued by internal Air Force\n      reviews. Unrestricted GAO reports can be accessed over the Internet at\n      http://www.gao.gov/.\n\nGAO\n      GAO Report No. GAO-04-48, \xe2\x80\x9cDespite Restructuring, SBIRS High Program\n      Remains at Risk of Cost and Schedule Overruns,\xe2\x80\x9d October 31, 2003\n\n      GAO Report No. GAO-02-738, \xe2\x80\x9cMilitary Space Operations - Planning, Funding,\n      and Acquisition Challenges Facing Efforts to Strengthen Space Control,\xe2\x80\x9d\n      September 23, 2002\n      GAO Report No. GAO-01-7C, \xe2\x80\x9cDefense Acquisition: Risks Associated With\n      Space-Based Missile Warning Need to be Addressed,\xe2\x80\x9d September 18, 2001\n\nAir Force\n      Independent Review Team, Report to Assistant Secretary of the Air Force\n      (Acquisition) and Executive Vice President, Lockheed Martin Space Systems\n      Company, February 2002\n\n      Management Assessment Team, Report to Assistant Secretary of the Air Force\n      (Acquisition), March 31, 2000\n\n      Joint Estimate Team Report \xe2\x80\x93 May 1999\n\n\n\n\n                                          24\n\x0cAppendix C. Definitions of Technical Terms\nClass 2 Security \xe2\x80\x93 Operating system security that includes unique user logon Ids and\npasswords, auditing and accountability of users and processes, and access controls for the\nprotection of object reuse.\n\nCode and Unit Test \xe2\x80\x93 The lowest level developer test of software. The purpose of unit\ntesting is to validate requirements expressed in the detailed design descriptions and\nsoftware requirements specifications. Unit testing is performed to ensure that all source\nstatements in a unit have been executed, each conditional branch has been taken, and that\nall boundary values (for example, minimum-maximum values) and edit criteria are tested.\n\nComponent Integration and Test \xe2\x80\x93 Ground segment design document qualification and\nsegment verification tests are performed to verify software requirement specifications\nand ground segment requirements.\n\nDevelopment Integration Test \xe2\x80\x93 The step in the software development lifecycle that\nfollows code and unit test; it consists of the integration of code modules to form\nexecutables and/or libraries.\n\nEffectivity \xe2\x80\x93 The point at which a major system requirement capability becomes\navailable to the SBIRS Program. SBIRS Increment 2 development is divided into\n10 effectivities.\n\nInterim Highly Elliptical Orbit Capability (IHC) \xe2\x80\x93 Four SBIRS subsystems, plus the\nconnecting network. The subsystems consist of the Interim Highly Elliptical Orbit Test\nCenter, the Mission Control Station Technical Intelligence Center, the SBIRS Anomaly\nResolution Center, and the Relay Ground Station.\n\nMission-Critical Software \xe2\x80\x93 Any software that operates the system.\n\nMission Processing \xe2\x80\x93 One of the five software domains in SBIRS. Accepts satellite\ntelemetry; performs mission processing for Theater, Strategic, Battlespace\nCharacterization, and Technical Intelligence missions; performs Human-to-Computer\ninterface tasks; prepares messages for user communication interface, and other tasks.\n\nPenetration Test \xe2\x80\x93 Security testing in which evaluators attempt to circumvent the\nsecurity features of a system based on their understanding of the system design and\nimplementation, to identify methods of gaining access to a system by using common\ntools and techniques developed by hackers.\n\nSpace Based Infrared System (SBIRS) Increment 1 \xe2\x80\x93 Consolidation of Defense\nSupport Program assets under the SBIRS High program.\n\nSpace Based Infrared System (SBIRS) Increment 2 \xe2\x80\x93 Delivery of SBIRS High\nsatellites and additional capability for the ground segment.\n\n\n\n\n                                           25\n\x0cSecurity Certification Level 3 \xe2\x80\x93 A certification level for IT systems, determined by\nweighting system characteristics in accordance with the DoD Information Technology\nSecurity Certification and Accreditation Process. The level of effort required to perform\nthe certification is dependent on choosing the correct certification level.\n\nSecurity Test and Evaluation \xe2\x80\x93 Examination and analysis of the safeguards required to\nprotect an information system, as they have been applied in an operational environment,\nto determine the security posture of that system.\n\nSystem Test \xe2\x80\x93 These tests verify that the integrated ground and space segments meet\nSBIRS High component specifications.\n\nTelemetry, Tracking, and Commanding \xe2\x80\x93 One of the five software domains in SBIRS.\nThis domain is responsible for providing the space to ground interface via telemetry and\ncommand processing; it process satellite commanding requests from Mission\nManagement and operator; processes satellite and sensor state of health data for display\nto the operator; and interfaces with Ground Control subsystem to provide status and to\naccept and execute system reconfiguration actions.\n\n\n\n\n                                           26\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisitions, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Networks and Information Integration/Administration\n   and Management)\nDirector, Defense Procurement and Acquisition Policy\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nCommander, Space and Missile Systems Center\n  System Program Director, Space Based Infrared System, Space and Missile Systems\n  Center\n\nOther Defense Organization\nDeputy Inspector General (Industrial Security), Defense Security Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          27\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations\n  and the Census, Committee on Government Reform\n\n\n\n\n                                       28\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                     29\n\x0c30\n\x0c31\n\x0c32\n\x0c33\n\x0cTeam Members\nThe Audit Followup and Technical Support Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nDavid A. Brinkman\nKenneth H. Stavenjord\nPeter C. Johnson\nMajor Shurman L. Vines, USA\nErnest G. Fine\nAnn A. Ferrante\nAnne V. Bonds\n\x0c'